diff options
author | Steven Rostedt (Red Hat) <rostedt@goodmis.org> | 2015-09-14 14:00:16 -0400 |
---|---|---|
committer | Steven Rostedt <rostedt@goodmis.org> | 2016-03-21 18:05:51 -0400 |
commit | 42fc96f520796c7d18c7372b6ad80292d4a0bc21 (patch) | |
tree | 4813b0ec37267382eb700fabc5ea54979eb314b9 | |
parent | d4321519aec1d6aba5edd5582c21903132990b3d (diff) | |
download | trace-cmd-42fc96f520796c7d18c7372b6ad80292d4a0bc21.tar.gz |
trace-cmd: Make msgcpy() and optcpy() check for size
Have msgcpy() and optcpy() test the offset + buflen to see if it would
overwrite the size of the msg or opt. If so, return -ENIVAL. The checking of
this return value still needs to be done, but at least we wont be
accidentally overwriting the memory.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-rw-r--r-- | trace-msg.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/trace-msg.c b/trace-msg.c index 373f3746..cacdc1c9 100644 --- a/trace-msg.c +++ b/trace-msg.c @@ -154,16 +154,24 @@ static int tracecmd_msg_alloc(u32 cmd, u32 len, struct tracecmd_msg **msg) return 0; } -static void msgcpy(struct tracecmd_msg *msg, u32 offset, +static int msgcpy(struct tracecmd_msg *msg, u32 offset, const void *buf, u32 buflen) { + if (offset + buflen > ntohl(msg->size)) + return -EINVAL; + memcpy(((void *)msg)+offset, buf, buflen); + return 0; } -static void optcpy(struct tracecmd_msg_opt *opt, u32 offset, +static int optcpy(struct tracecmd_msg_opt *opt, u32 offset, const void *buf, u32 buflen) { + if (offset + buflen > ntohl(opt->size)) + return -EINVAL; + memcpy(((void *)opt)+offset, buf, buflen); + return 0; } enum msg_opt_command { |